Terragon Group

See our Information Security Policy

Last reviewed on 30th August 2024

1. Introduction

Information has become a critical resource for organisations, there is so much dependence on information resources by organisations. Hence, there is a need to protect it and manage the risks associated with its use. This policy defines how information security will be set up, managed, measured, reported on and developed within Terragon.

1.1 Purpose

Terragon Group Limited (“Terragon”) has established this Information Security Policy to provide high-level guidance and to set the minimum requirements that must be followed to maintain required level of Information Security within the organisation. The document lays foundation to how Terragon implements information security.
The overall control and operational objectives are to:

  • Provide guidance to all employees on how to protect Terragon’s information systems in a manner that achieves a balance of cost effectiveness, reasonableness, an adequate level of protection, and helps to facilitate compliance with current and projected regulatory, business, and IT requirements.
  • Provide guidance to enable secure conduct of business and transactions with Terragon employees, interns, and third parties.
  • In addition to Policy statements, provide guidance and a list of “to-do” and “not-to-do” security practises.

1.2 Scope

  1. The policy is applicable to ALL stakeholders of Terragon’s information systems infrastructure (employees, contractors, partners, vendors etc.).
  2. This policy applies to all information in physical and electronic format (including Terragon’s intellectual property) held by or entrusted to Terragon throughout the information lifecycle, which includes creation, collection, storage, distribution, archiving and disposal.
  3. Therefore, the policy covers the use of the entire Information Technology infrastructure of the organisation. It includes all the PCs, servers (on-premises and cloud) and networks, connecting devices and components, software, communication equipment and supporting electrical power distribution equipment.
  4. The policy scope also defines the operation and use of the Internet. Also considered are security issues ranging from physical to logical security.

1.3 Management Commitment and Compliance

Terragon Group Management is committed to mitigating risk, and meeting the compliance requirements of its services. To this end, this Information Security Policy has been documented and approved in order to clarify business interpretations and implementation requirements of the organisation’s Information Security.
No unauthorised deviation from the minimum requirements of this policy will be allowed. Business units are requested to discuss any requirements for deviation with the Executive Leadership Team. Any breach will result in disciplinary action (See Disciplinary Policy).

1.4 Continual Improvement

Terragon’s policy with regards to continual improvement of the Information Security Management System is;

  • To continually improve the effectiveness of the Information Security Management System.
  • Comply with ISO 27001 and maintain it on an on-going basis
  • Enhance current processes to bring them in line with good practice as defined within ISO/IEC 27001.
  • Increase the level of proactivity with regard to the on-going management of information security.
  • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data and feedback from relevant sources.
  • Obtain ideas for improvement via regular review meetings with stakeholders and implement where necessary.
  • Update the Continual Improvement Log on a defined basis and continually review open items.

1.5 Policy Review Schedule

It is the responsibility of the ISMS Manager to ensure that it is reviewed at least once annually. Internal or external factors may drive the need for a review prior to the scheduled time.

2. Information Security Principles

This policy maintains the generally accepted information security objectives as the pillars upon which its various tenets are built. It is important that all employees cultivate this culture as part of our drive towards a highly secured and efficient system. Terragon’s high level Information Security Objective is to protect the organisation’s information and information asset for Confidentiality, Integrity, Availability, Access, Appropriate use and Employee privacy.This policy defines how information security will be set up, managed, measured, reported on and developed within Terragon.

2.1 Confidentiality

  • Confidentiality can be defined as “The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organisations”. The need to keep our sensitive information assets in confidence cannot be over-emphasized.
  • Cloud services are used to store Terragon’s most important information resources, which must be kept strictly confidential.
  • Breach of confidentiality can take place by word of mouth, by printing, copying, e-mailing or creating and spreading documents and other data.
  • The classification of the information should determine its confidentiality and hence the appropriate safeguards.
  • Maintaining the confidentiality of information stored on the server therefore requires:
    • Ensuring that only authorised users can access the services and information.
    • Ensuring that authorised users can access only the services for which they are authorised.

2.2 Integrity

  • Integrity is the quality of information that identifies how closely the data represents reality. According to the COBIT IT Governance framework, integrity “relates to the accuracy and completeness of information as well as to its validity in accordance with the business set of values and expectations”.
  • This is the ability to keep information from being changed by unauthorised users and ensuring the information is complete and unchanged. For example, making copies (say by emailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. The reason: because, by making one or more copies, the data is then at risk of change or modification. Maintaining the integrity of information stored on the servers includes ensuring that one can recognize and recover from breaches of integrity.
  • Terragon servers also store information used for management decisions and client information, which demands a high level of integrity and confidentiality.
  • The two most important principles for achieving and maintaining information integrity are:
    • The principle of separation of duty: This states that no one person should perform a task from beginning to end, but that the task should be divided among two or more people to prevent fraud by one person acting alone.
    • A well-formed transaction is defined as a transaction where the user is unable to manipulate data arbitrarily. A security system in which transactions are well formed ensures that only legitimate actions can be executed. It also ensures that the internal data is accurate and consistent with what it represents.

2.3 Availability

  • Availability goes hand-in-hand with confidentiality and integrity. Availability is the ability to provide authorised users information when it is required. A power outage or viruses that crash a computer system are some examples of an availability attack.
  • Maintaining the availability of the services includes:
    • Ensuring that services are uninterrupted even when there are hardware or software failures or during routine system maintenance.
    • Ensuring that recovery from security incidents are effected on time.
  • Confidentiality, Integrity and Availability are the prevailing conditions that provide us with the basis for building basic Security Management Model.

2.4 Guiding Principles

The broad goal of information security in the Organization is to maintain the Confidentiality, Integrity, and Availability (CIA) of data. To achieve this goal, Terragon has identified a set of core security principles to guide the creation of policies. The Policies are derived from the principles of ISO27001 framework and additionally reflect appropriate industry best practices. The Policy will, in turn, be further supported by formal, detailed standards and team-specific Standard Operating Procedures (SOPs) as necessary. From these simple principles, Terragon builds and maintains the foundation of a strong security posture.

  • Universal Participation– Every component of an organisation could be a potential avenue of compromise of the three core principles of confidentiality, integrity, and availability. Thus, Terragon has a strong security program which includes all parties in the organisation. Everyone is responsible for implementing the security policy as it relates to their specific role and responsibilities.
  • Risk-Based security– An organisation’s security is defined by the set of risks it faces. These risks should be identified regularly and should remain the primary focus of any security policy or program.
  • Compartmentalization– If one compartment is compromised, subsequent compartments should be safe.
  • Secure Failure– When a system’s confidentiality, integrity, or availability is compromised, the system should fail to a secure state.
  •  Need-to-Know– Information will only be circulated to those parties requiring it in order to perform their defined business function.
  • Effective Authentication and Authorization– Firmly established identity and role-based authorization are essential to making informed access control decisions.
  • Audit Mechanisms– Implement audit mechanisms to detect unauthorised use and to support incident investigations.

3. Detailed Information Security Objectives

Terragon Information Security Objectives is linked to the performance metrics for effective measurement of the fulfilment of the objectives. Plans to achieve these objectives are detailed in the ISMS Calendar and Performance Metrics document.
 The objectives are as follows;

  • Risk Assessment: To ensure that information security risks are identified, assessed and treated in a consistent manner across the organisation.
  • Information Asset Management: To ensure information assets receive an appropriate level of protection. To achieve and maintain appropriate protection of information assets based on the associated business risk.
  • Human Resources: To ensure that employees and third parties understand their responsibilities with regard to information security.
  • Physical Security: To ensure information security requirements form an integral part of the Organization’s physical and environmental policies. These requirements are applicable to Terragon premises only and are bound by country-specific laws.
  • Network and IT Operations Security: To protect Terragon’s network and IT systems from unauthorised access, malicious code and attacks and to detect unauthorised network and IT system use.
  • Third Party Security: To ensure that third parties deliver services in a manner that meets Terragon’s minimum information security requirements.
  • Logical Access Management: To ensure that only authorised users are given access to Terragon’s information, IT systems and networks.
  • System Acquisition, Development and Maintenance: To ensure that security requirements are identified and agreed before implementation of a new IT system as well as when maintaining existing systems.
  • Information Security Incident Management: To implement a consistent and effective process for the reporting, resolving and closure of information security incidents in order to minimise risk to information assets.
  • Business Continuity Management: To ensure information security requirements form an integral part of the Terragon’s business continuity management (BCM) programme.
  • Information Security Compliance: To ensure that Terragon complies with Information Risk and Information Security policies, and applicable legislation, regulations and/or contractual obligations.
  • Privacy: To ensure compliance with privacy requirements as described in relevant legislation, regulations and contractual clauses.

4.Information Security Roles and Responsibilities

The roles and responsibilities described below are for the effective implementation, operation and continuous improvement of Terragon’s Information Security Management System (ISMS).

4.1 Exective Leadership Team

The Executive Leadership Team will drive IT and Information Security goals and ensure that these goals are aligned with business objectives.
 The Executive Leadership Team as the Governance body assumes the responsibility to:

  • Establish the ISMS policy, objectives and plans
  • Define Information Security (IS) strategy and direction, allocate roles and responsibilities and oversee the Information Security activities.
  • Communicate the importance of meeting the objectives and the need for continual improvement.
  • Maintain an awareness of business needs and major changes.
  • Determine and provide resources to plan, implement, monitor, review and improve information security and management e.g. recruit appropriate staff, manage staff turnover.

4.2 Heads of Department

Heads of Departments have overall accountability for:

  • Making their team members aware of this policy and ensuring that they comply with this policy.
  • Guiding and encouraging their team members to report information security incidents.
  • Setting a good example for their team members by following all applicable security practises
  • Ultimately, heads of departments are responsible for ensuring that adequate resources are applied to the ISMS program and that it is successful

4.3 Enterprise Security

  • Conduct periodic ISMS Audits as per the agreed schedule.
  • Remediate gaps identified in ISMS internal and external Audits.
  • Review the compliance posture of security controls on various IT systems, applications, operating systems and devices
  • Support the ISMS Manager in providing guidance on remediation planning, controls implementation and information security risk mitigation.

4.4 Terragon Employees and Third Parties

It is the responsibility of all employees to read and comply with Terragon’s Information Security Policies. While not all Information Security Policies contained herein are applicable to all Terragon’s business and employees’ functions, it is every end user’s responsibility to protect information assets. Non-compliance with these Information Security Policies will result in disciplinary action up to and including termination or legal action.
All users, contractors, and third parties are responsible to:

  • Notify the ISMS Manager of any security breach, violation, or suspicious activity
  • Comply with principles defined in this policy
  • Use information assets appropriately and responsibly
  • Treat system account information, passwords, access codes, and other sensitive access information as extremely confidential. All users are responsible for the activity that occurs with their unique identifier or logon credentials.
  • Secure all confidential media or USB sticks in your personal workspace when not present.
  • Not place unauthorised software or data files on Terragon’s systems. Authorised software must only be used in accordance with licensing agreements, and must not violate any copyright laws
  • Not use technical knowledge or programs to bypass security, monitoring, or filtering controls implemented by Terragon

    All Terragon employees are:
  • Responsible for identifying information assets and determining their appropriate information classification levels.
  • Accountable for the security (that is, the confidentiality, integrity and availability) of the information they own and control. Where the responsibility for implementing controls has been delegated, accountability must remain with the data owner.

4.5 People and Culture Team

The People and Culture team must

  • Support the business areas in incidents that involve the investigations of their staff; and
  • Assist Heads of Units / Departments in enforcing the disciplinary process for non-compliance with the policy directives.
  • Perform background checks on new employees to verify their personal data, references, character and competence. The background checks will comprise Former Employment Reference, Personal Reference and Criminal Background Information (Where there is doubt about such individual(s) criminal record). Otherwise the previous employer & personal reference information will suffice.
  • Conduct background check for sensitive positions like executive drivers and employees in the finance department will undergo criminal background checks (Manager level and above)

4.6 Internal Audit

The internal audit functions are to enhance Terragon’s information security management system, maintain its effectiveness, maturity, and resilience.

  • Plan and execute audits of the ISMS to assess the effectiveness of controls, policies, and procedures related to information security.
  • Evaluate information security risks and vulnerabilities within the ISMS framework, including identifying potential threats and assessing the likelihood and impact of security incidents.
  • Ensure that the ISMS complies with ISO 27001 standards, regulatory requirements, and internal policies related to information security.
  • Assess the adequacy and effectiveness of information security controls implemented within the ISMS, including technical, physical, and administrative controls.
  • Identify gaps or deficiencies in the ISMS implementation and recommend corrective actions to address areas of improvement.
  • Prepare audit reports detailing findings, observations, and recommendations for improvement related to information security controls and ISMS performance.
  • Monitor the implementation of corrective actions resulting from audit findings and conduct follow-up audits to verify the effectiveness of remedial measures.
  • Identify opportunities for enhancing the ISMS, improving information security processes, and promoting a culture of continuous improvement in information security practices.

5. Password Policy

Objective: To ensure that appropriate password management controls are defined and correctly implemented for all network and system infrastructure, application systems and information resources (hereafter referred to as Systems) used by Terragon.

5.1 User Passwords

The allocation of passwords must be controlled through a formal management process; which must contain the following requirements:

  • When users are required to maintain their own passwords they must be provided initially with a secure temporary password, which they are forced to change immediately.
  • Temporary passwords must be given to users in a secure manner
  • Temporary passwords must be unique to an individual and must not be guessable.
  • Passwords must never be stored on computer systems in an unprotected form.
  • Default vendor passwords must be altered following installation of systems or software.

5.2 Password Standard

Parameter Value
Minimum length
8
Characters Required
At least one UPPERCASE letter (A...Z) At least one lowercase letter (a...z) At least one symbol “{}[]\:;?><,./!@#$%^&*())” At least one number “0123456789”
Change Frequency
At least every 90 days
Account lockout
On 5 incorrect logon attempts (Lockout for 15 minutes)
Account lockout action
Account must be re-enabled by IT Service Desk
Session timeout
At most 20 minutes

5.3 Password Use

All users shall:

  • Keep passwords confidential;
  • Avoid keeping a record (e.g. paper or hand-held device) of passwords, unless this can be stored securely;
  • Change passwords whenever there is any indication of possible system or password compromise; select quality passwords with sufficient minimum length which are:
    • Easy to remember;
    • Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.;
    • Not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries)
    • Free of consecutive identical, all-numeric or all-alphabetic characters;
    • Change passwords at regular intervals or based on the number of accesses and avoid reusing or cycling old passwords;
    • Change temporary passwords at the first log-on;
    • Not include passwords in any automated log-on process, e.g. stored in a macro or function key;
    • Not share individual user passwords;
    • Not use the same password for business and non-business purposes.

6. Acceptable Use Policy

Terragon’s systems are critical for the operations and the ability to service our customers. The manner in which these systems are used will determine how well we are able to conduct our business. Use of these systems must be in accordance with this and other organisational policies. All electronic processing facilities provided by Terragon, including e-mail, internet and intranet, are business enablers and tools for productivity enhancement.

Terragon Group reserves the right to limit access to any or all of its electronic computing facilities to those users who have a legitimate business need and, at its discretion, to terminate the access of any user of its electronic computing facilities without notice.

6.1 General Acceptable Use Principles

  • Terragon Group systems are to be used only for the purpose for which they are authorised and are not to be used for non-Terragon Group activities.
  • Users are responsible for protecting any information used and/or stored on/in their Terragon Group accounts.
  • Users are responsible for the availability, integrity and confidentiality of customer and employee data held on their computers and all forms of storage media under their control.
  • Users are requested to immediately report any weaknesses in Terragon Group’s computer security, any incidents of possible misuse or violation of this Policy to the proper authorities by contacting the ISMS Manager or raising an incident ticket.
  • The company shall at its discretion determine what websites and contents employees can access to ensure workforce productivity
  • Screen munch, screen grab, snapshots and any other similar action to capture company information on a mobile device with the intent of sharing via social media, personal emails and other personal mediums with self or an external party without approval is prohibited.

6.2 Internet Usage

  • Access to the Internet shall be made available only to employees, contractors, subcontractors, and business partners whose duties require access to conduct Terragon Group’s business within business hours.
  • End users are responsible for the secure use of Internet services including Internet access, web browsing, and electronic mail.
  • End users are expected to understand that information assets transmitted over the Internet are not private and that their actions represent Terragon Group Limited.
  • The Internet is to be used primarily for business purposes. Any personal use of the Internet must not interfere with normal business activities and Terragon Group’s ability to pursue its mission and meet the conditions outlined in the company’s policy.
  • Communications over the internet shall not involve solicitation, pornography, violence, racism, attempts to circumvent internet access controls, association with any for-profit external business activity, and anything with the potential of incurring legal liability to Terragon Group Limited.
  • Do not download and install software without approval of the CTO or ISMS Manager. This includes games, software from an unknown source, and programs intended to exploit Terragon Group’s IT systems, such as password crackers, network scanning tools, and packet sniffers.
  • Always represent Terragon Group’s best interest. Exercise judgement in all Internet communications and use.
  • Do not participate in non-business related online message boards or chat rooms. Messages sent using such Internet sites can be traced to (and may have a negative impact on the organisation) Terragon Group.
  • Internet access for contractors, vendors, consultants, business partners and other persons shall be approved only if their use is vital to the conduct of Terragon Group’s businesses.
  • Ensure that all confidential information from Terragon’s drive is for internal use only, any information to be shared externally must be done only with a signed NDA in place. The shared drive is provided to the employees for viewing and retrieving information.

6.3 Email Acceptable Use

  • Access to Terragon Group’s electronic mail (email) system is provided to employees and/or third parties whose duties require email to conduct Terragon Group’s business.
  • All messages composed and/or sent using company provided electronic messaging resources must comply with company policies regarding acceptable communication.
  • Upon termination or separation from Terragon Group, users shall be denied all access to electronic messaging resources, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
  • Each employee shall be assigned a unique email address that is to be used while conducting company business via email.
  • Where provided, employees authorised to use corporate instant messaging programs shall be assigned a unique instant messaging identifier.
  • Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending it.
  • Any employee who discovers a violation of these policies should immediately notify a manager or the ISMS Manager.
  • Only Terragon Group’s provided email services will be accessed from Terragon Group’s information resources. Employees are advised not to use their corporate email accounts to send/receive emails which they consider private as the emails may be monitored. Terragon Group would not be liable for the interception of confidential mails.

6.4 Email Prohibited Use

Prohibited activities when using Terragon Group’s email include, but are not limited to, sending or arranging to receive the following:

  • Information that violates Terragon Group’s policies, state or Federal laws.
  • Unsolicited commercial announcements or advertising material.
  • Any material that may defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray in false light, Terragon Group, the recipient, the sender, or any other person.
  • Pornographic, sexually explicit, or sexually oriented material and email messages containing such.
  • Racist, hate-based, or offensive material and email messages containing such.
  • Materials or messages with derogatory content, defamatory content, harassing content, and profanity.
  • Viruses or malicious code.
  • Chain letters; unauthorized mass mailings (SPAM), or any unauthorized request that asks the recipient to forward the message to other people.
  • Circulating, spreading or disseminating information to email groups which the user has not been designated or authorized to communicate to.
  • Messages or materials containing company trade secrets, confidential information, or privileged communications.
  • Unauthorized copying and distribution of copyrighted materials.
 Circulating, spreading, dissemination or publication of one’s political or religious views.
  • Email messages for the operation of a business or for any undertaking for personal gain.
  • Also, employees are prohibited from unauthorized copying and distribution of copyrighted materials.
  • Forwarding/sending of files and/or emails from work email account to personal email account without approval, and forwarding/sending to external parties for the purpose other than business reasons is prohibited.

6.5 Other Prohibited Activites

Generally prohibited activities when using Terragon Group’s information resources include, but are not limited to, the following:

  • Using unauthorized and unapproved applications or software that occupy or use workstation idle cycles or network processing time (e.g., processing in conjunction with screen savers).
  • Installing unlicensed, unauthorised software and applications.
  • Stealing electronic files or copying of electronic files not related to your normal business activities without management approval.
  • Violating copyright laws.
  • Browsing the private files or accounts of others, except as provided by appropriate authority.
  • Performing unofficial activities that may degrade the performance of information resources, such as playing online games.
    Performing activities intended to circumvent security or access controls of any organisation, including the possession or use of hardware or software tools intended to defeat software copy protection, discover passwords, identify security vulnerabilities, and decrypt encrypted files, or compromise information security by any other means.
  • Writing, copying, executing, or attempting to introduce any computer code e.g. virus designed to self-replicate, damage, or otherwise hinder the performance of, or access to any Terragon Group’s computer, network, or information asset.
  • Promoting or maintaining a personal or private business or using Terragon Group’s information resources for personal gain.
  • Using someone else’s logon ID and password.
  • Conducting fraudulent or illegal activities, including but not limited to: gambling, trafficking in drugs or weapons, participating in terrorist acts, or attempting unauthorized entry to any Terragon Group’s computer.
  • Conducting fundraising, lobbying, or participating in any partisan political activity except otherwise authorised.
  • Disclosing any Terragon Group’s information that is not otherwise public without authorized management approval.
  • Performing any act that may discredit, defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray Terragon Group’s staff, business partners, or customers in false light.
  • Prohibited activities when using the Internet include, but are not limited to, the following:
  • Browsing explicit pornographic or hate-based web sites, hacker or cracker sites, or other sites that Terragon Group has determined to be off limits.
  • Posting, sending, or acquiring sexually explicit or sexually oriented material, hate-based material, hacker-related material, or other material determined to be off limits by Terragon Group.
    Posting or sending classified Terragon Group’s information outside of Terragon Group’s network without management authorization.
  • Unauthorised hacking or other unauthorised use of services available on the Internet.
  • Posting unauthorized commercial announcements or advertising material.
  • Promoting or maintaining a personal or private business.
  • Users shall not download, install or run security programs or utilities, which reveal weaknesses in the security of our system. For example, users shall not run password-cracking programs on the computing systems.
  • Users shall not make unauthorised copies of copyrighted software, except as permitted by law or by the owner of the copyright.
  • Users shall not make copies of system configuration files for their unauthorised personal use or to provide to other people/users for unauthorised uses.
  • Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of systems; deprive an authorised user access to a system resource, obtain extra resources beyond those allocated, circumvent computer security measures or gain access to Terragon Group’s system for which proper authorization has not been given.
  • Users shall not perform activities intended to circumvent security or access controls of any organisation, including the possession or use of hardware or software tools intended to defeat software copy protection, discover passwords, and identify security vulnerabilities, decrypt, encrypted files, or compromise information security by any other means.
  • Users shall not write, copy, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of or access to any corporate computer network, or information.
  • Users shall not conduct fraudulent or illegal activities, including but not limited to:
    • Gambling, trafficking in drugs or weapons, participating in terrorist acts, or attempting unauthorized entry to any corporate or non-corporate computer.
  • Users shall not attempt to access any data or programs contained on the company’s systems for which they do not have authorization or explicit consent of the owner of the data/program.

7. Clear Desk and Clear Skin policy

A Clear Desk and Clear Screen Policy will help ensure that all sensitive/confidential materials are removed from workspaces and locked away when the items are not in use or an employee leaves their workstation. The policy will help reduce the risk of security breaches within Terragon’s environment.


Objective: The purpose of this policy is to establish the minimum requirements for maintaining clean desks and clear screens and to ensure that, where there is any confidential, restricted or sensitive Information that it is locked away and is out of sight.

  • The clear desk and clear screen principles should be used in consideration of the information classification (please refer to Terragon Group Information Classification Policy), legal and contractual requirements and the corresponding risks and cultural aspects of the organisation.
  • Computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use
  • Computer screens should be angled away from the view of unauthorised persons.
  • The Windows and Mac Security Lock should be set to activate when there is no activity for a short predetermined period of time.
  • The Windows Security Lock should be password protected for reactivation.
  • Passwords must not be left on sticky notes posted on or under a computer, nor may they be left written down and left in an accessible location.
  • Users should log off or lock their machines (by pressing the Windows key + L for Windows machines and Control + Command + Q for MacOS machines) when they leave their screens.
  • Whiteboards containing restricted and/or sensitive information should be erased.
  • Portable computing devices such as unused laptops, cameras and tablets must be locked away in a safe
  • Mass storage devices such as Hard drives, CDROM, DVD or USB drives should be treated as being sensitive data and must be locked away in the safe or the server room.
  • Where practically possible, paper and computer media should be stored in suitable locked safes, cabinets or other forms of security furniture when not in use, especially outside working hours.
  • Where lockable safes, filing cabinets, drawers, cupboards etc. are not available, office doors must be locked if left unattended.
  • Employees are required to ensure that all confidential, restricted or sensitive information in hardcopy or electronic form is secured at the end of the day and when they are expected to be away from their desk for an extended period.
  • Any confidential, restricted or sensitive information must be removed from desks and locked in a drawer when a desk is left unoccupied at any time.
  • Confidential, restricted or sensitive information, when printed, should be cleared from printers immediately.
  • Where possible printers with a ‘locked job’ facility should be used.
  • It is good practice to lock office areas when they are not in use and it is safe to do so.
  • Any visit, appointment or message books should be stored in a locked area when not in use.
  • The reception area can be particularly vulnerable to visitors. This area should be kept as clear as possible at all times. No personally identifiable information should be kept on desks within reach or sight of visitors.
  • It is also worth noting that information left on desks is also more likely to be damaged or destroyed in a disaster such as fire, flood or explosion.
  • Keys used for access to confidential, restricted or sensitive information must not be left in or on an unattended desk. Keys for desk drawers, cabinets and other secure areas must be stored in the dedicated key safe.
  • Upon disposal, any document containing any personal data or confidential, restricted or sensitive information should be placed shredded. Confidential waste must not be left on desks, in filing trays or placed in regular waste bins.

8. Physical and Environmental Security

Physical barriers (Access Controls) are installed within Terragon secure areas to prevent access without the correct level of authorisation. This is to prevent tailgating i.e. an unauthorised person following an authorised person through the barrier.

8.2 Physical Entry Controls

VISITORS
Unauthorized personnel, clients, vendors and visitors shall be required to have the required approval before they are allowed access to restricted areas.
The date and time of entry and departure of visitors into restricted areas shall be recorded, and all visitors shall be monitored; they shall only be granted access for specific authorized purposes, and shall be issued with instructions on the security requirements of the area and on emergency procedures.
Visitors are clearly distinguished by their badges from Employees and are forced to surrender their visitor identification badge, which expires on exit, to the security operatives. No personnel are allowed into the office without any form of identification clearly displayed.
Visitors must be provided supervised and controlled access to secure areas.

ACCESS CONTROLS
Access shall be controlled via smart cards, all access controlled doors shall be fitted with sensors to detect unauthorised or prolonged opening.
Tailgating into restricted areas is prohibited. Care shall therefore be taken by all authorised staff to prevent this. During deliveries, authorised staff shall supervise such work at all times.

ENTRY LOG
An audit trail of access to secure areas must be maintained either via manual completion of a signing in book or via electronic means.

VISIBLE IDENTIFICATION
While in Terragon or related secured areas, badges must be worn with the photos on them visible at all times.

8.3 Securing Offices, Rooms and Facilities

VACANT AREAS
Vacant areas within Terragon will be locked and regularly checked for signs of unauthorised entry or use.

ADDITIONAL SECURITY
Individual rooms within the secure area may also be protected by additional security, like the server room. Users of such have specific access to these rooms based on their role and access privilege. Security personnel and admin officer(s) shall conduct ad-hoc unannounced checks of working areas and security perimeter.

8.4 Protecting against External and Environmental Threats

Terragon has designed and applied controls against damage from force majeure such as lightning strikes, floods and other forms of natural or man-made disaster. Details contained in the Terragon Business Continuity Policy/Plan.

8.5 Cabling Security

  • In line with industry electrical/cabling standards precautions must be taken to mitigate the risk of unauthorised/malicious data interception and accidental/malicious damage to ICT installations.
  • Electric cabling is physically separated from data cabling to prevent interference and reduce the risk of injury and damage to equipment.
  • All power and telecommunications lines into information processing facilities are subject to adequate alternative protection.

9. Exceptions

  • Deviation from the minimum requirements of this policy must be submitted to the Executive Leadership Team and approved.
  • All exceptions to this policy must be formally recorded, tracked and reviewed by the formal exception management process and communicated to relevant stakeholders. Any exceptions must have a clear action plan and due date for the exception to be closed.

BREACH OF POLICIES

In the event of a breach of any of the policies outlined in this document, the offending party shall be subject to disciplinary action, up to and including termination of employment.

10. ISO 27001:2022 Control Mapping

Section Reference Within Information Security Policy ISO Control Reference
1.3 Management Commitment and Compliance
5.1 Leadership and Commitment
3. Information Security Objectives
6.2 Information Security Objectives and Planning to Achieve them
4. Information Security Roles and Responsibilities
A.5.2 Information security roles and responsibilities
5. Password Policy
A.5.17 Authentication information A8.5 Secure Authentication
6. Acceptable Use Policy
A.5.10 Acceptable use of information and other associated assets
7. Clear Desk and Clear Screen Policy
A.7.7 Clear desk and clear screen
8. Physical and Environmental Security Policy
A.7.5 Protecting against physical and environmental threats
Introduction

1. Introduction

Information has become a critical resource for organisations, there is so much dependence on information resources by organisations. Hence, there is a need to protect it and manage the risks associated with its use. This policy defines how information security will be set up, managed, measured, reported on and developed within Terragon.

1.1 Purpose

Terragon Group Limited (“Terragon”) has established this Information Security Policy to provide high-level guidance and to set the minimum requirements that must be followed to maintain required level of Information Security within the organisation. The document lays foundation to how Terragon implements information security.
The overall control and operational objectives are to:

  • Provide guidance to all employees on how to protect Terragon’s information systems in a manner that achieves a balance of cost effectiveness, reasonableness, an adequate level of protection, and helps to facilitate compliance with current and projected regulatory, business, and IT requirements.
  • Provide guidance to enable secure conduct of business and transactions with Terragon employees, interns, and third parties.
  • In addition to Policy statements, provide guidance and a list of “to-do” and “not-to-do” security practises.

1.2 Scope

  1. The policy is applicable to ALL stakeholders of Terragon’s information systems infrastructure (employees, contractors, partners, vendors etc.).
  2. This policy applies to all information in physical and electronic format (including Terragon’s intellectual property) held by or entrusted to Terragon throughout the information lifecycle, which includes creation, collection, storage, distribution, archiving and disposal.
  3. Therefore, the policy covers the use of the entire Information Technology infrastructure of the organisation. It includes all the PCs, servers (on-premises and cloud) and networks, connecting devices and components, software, communication equipment and supporting electrical power distribution equipment.
  4. The policy scope also defines the operation and use of the Internet. Also considered are security issues ranging from physical to logical security.

1.3 Management Commitment and Compliance

Terragon Group Management is committed to mitigating risk, and meeting the compliance requirements of its services. To this end, this Information Security Policy has been documented and approved in order to clarify business interpretations and implementation requirements of the organisation’s Information Security.
No unauthorised deviation from the minimum requirements of this policy will be allowed. Business units are requested to discuss any requirements for deviation with the Executive Leadership Team. Any breach will result in disciplinary action (See Disciplinary Policy).

1.4 Continual Improvement

Terragon’s policy with regards to continual improvement of the Information Security Management System is;

  • To continually improve the effectiveness of the Information Security Management System.
  • Comply with ISO 27001 and maintain it on an on-going basis
  • Enhance current processes to bring them in line with good practice as defined within ISO/IEC 27001.
  • Increase the level of proactivity with regard to the on-going management of information security.
  • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data and feedback from relevant sources.
  • Obtain ideas for improvement via regular review meetings with stakeholders and implement where necessary.
  • Update the Continual Improvement Log on a defined basis and continually review open items.

1.5 Policy Review Schedule

It is the responsibility of the ISMS Manager to ensure that it is reviewed at least once annually. Internal or external factors may drive the need for a review prior to the scheduled time.

Information Security Principles

2. Information Security Principles

This policy maintains the generally accepted information security objectives as the pillars upon which its various tenets are built. It is important that all employees cultivate this culture as part of our drive towards a highly secured and efficient system. Terragon’s high level Information Security Objective is to protect the organisation’s information and information asset for Confidentiality, Integrity, Availability, Access, Appropriate use and Employee privacy.This policy defines how information security will be set up, managed, measured, reported on and developed within Terragon.

2.1 Confidentiality

  • Confidentiality can be defined as “The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organisations”. The need to keep our sensitive information assets in confidence cannot be over-emphasized.
  • Cloud services are used to store Terragon’s most important information resources, which must be kept strictly confidential.
  • Breach of confidentiality can take place by word of mouth, by printing, copying, e-mailing or creating and spreading documents and other data.
  • The classification of the information should determine its confidentiality and hence the appropriate safeguards.
  • Maintaining the confidentiality of information stored on the server therefore requires:
    • Ensuring that only authorised users can access the services and information.
    • Ensuring that authorised users can access only the services for which they are authorised.

2.2 Integrity

  • Integrity is the quality of information that identifies how closely the data represents reality. According to the COBIT IT Governance framework, integrity “relates to the accuracy and completeness of information as well as to its validity in accordance with the business set of values and expectations”.
  • This is the ability to keep information from being changed by unauthorised users and ensuring the information is complete and unchanged. For example, making copies (say by emailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. The reason: because, by making one or more copies, the data is then at risk of change or modification. Maintaining the integrity of information stored on the servers includes ensuring that one can recognize and recover from breaches of integrity.
  • Terragon servers also store information used for management decisions and client information, which demands a high level of integrity and confidentiality.
  • The two most important principles for achieving and maintaining information integrity are:
    • The principle of separation of duty: This states that no one person should perform a task from beginning to end, but that the task should be divided among two or more people to prevent fraud by one person acting alone.
    • A well-formed transaction is defined as a transaction where the user is unable to manipulate data arbitrarily. A security system in which transactions are well formed ensures that only legitimate actions can be executed. It also ensures that the internal data is accurate and consistent with what it represents.

2.3 Availability

  • Availability goes hand-in-hand with confidentiality and integrity. Availability is the ability to provide authorised users information when it is required. A power outage or viruses that crash a computer system are some examples of an availability attack.
  • Maintaining the availability of the services includes:
    • Ensuring that services are uninterrupted even when there are hardware or software failures or during routine system maintenance.
    • Ensuring that recovery from security incidents are effected on time.
  • Confidentiality, Integrity and Availability are the prevailing conditions that provide us with the basis for building basic Security Management Model.

2.4 Guiding Principles

The broad goal of information security in the Organization is to maintain the Confidentiality, Integrity, and Availability (CIA) of data. To achieve this goal, Terragon has identified a set of core security principles to guide the creation of policies. The Policies are derived from the principles of ISO27001 framework and additionally reflect appropriate industry best practices. The Policy will, in turn, be further supported by formal, detailed standards and team-specific Standard Operating Procedures (SOPs) as necessary. From these simple principles, Terragon builds and maintains the foundation of a strong security posture.

  • Universal Participation– Every component of an organisation could be a potential avenue of compromise of the three core principles of confidentiality, integrity, and availability. Thus, Terragon has a strong security program which includes all parties in the organisation. Everyone is responsible for implementing the security policy as it relates to their specific role and responsibilities.
  • Risk-Based security– An organisation’s security is defined by the set of risks it faces. These risks should be identified regularly and should remain the primary focus of any security policy or program.
  • Compartmentalization– If one compartment is compromised, subsequent compartments should be safe.
  • Secure Failure– When a system’s confidentiality, integrity, or availability is compromised, the system should fail to a secure state.
  •  Need-to-Know– Information will only be circulated to those parties requiring it in order to perform their defined business function.
  • Effective Authentication and Authorization– Firmly established identity and role-based authorization are essential to making informed access control decisions.
  • Audit Mechanisms– Implement audit mechanisms to detect unauthorised use and to support incident investigations.
Detailed Information Secur...

3. Detailed Information Security Objectives

Terragon Information Security Objectives is linked to the performance metrics for effective measurement of the fulfilment of the objectives. Plans to achieve these objectives are detailed in the ISMS Calendar and Performance Metrics document.
 The objectives are as follows;

  • Risk Assessment: To ensure that information security risks are identified, assessed and treated in a consistent manner across the organisation.
  • Information Asset Management: To ensure information assets receive an appropriate level of protection. To achieve and maintain appropriate protection of information assets based on the associated business risk.
  • Human Resources: To ensure that employees and third parties understand their responsibilities with regard to information security.
  • Physical Security: To ensure information security requirements form an integral part of the Organization’s physical and environmental policies. These requirements are applicable to Terragon premises only and are bound by country-specific laws.
  • Network and IT Operations Security: To protect Terragon’s network and IT systems from unauthorised access, malicious code and attacks and to detect unauthorised network and IT system use.
  • Third Party Security: To ensure that third parties deliver services in a manner that meets Terragon’s minimum information security requirements.
  • Logical Access Management: To ensure that only authorised users are given access to Terragon’s information, IT systems and networks.
  • System Acquisition, Development and Maintenance: To ensure that security requirements are identified and agreed before implementation of a new IT system as well as when maintaining existing systems.
  • Information Security Incident Management: To implement a consistent and effective process for the reporting, resolving and closure of information security incidents in order to minimise risk to information assets.
  • Business Continuity Management: To ensure information security requirements form an integral part of the Terragon’s business continuity management (BCM) programme.
  • Information Security Compliance: To ensure that Terragon complies with Information Risk and Information Security policies, and applicable legislation, regulations and/or contractual obligations.
  • Privacy: To ensure compliance with privacy requirements as described in relevant legislation, regulations and contractual clauses.
Information Security Rol...

4.Information Security Roles and Responsibilities

The roles and responsibilities described below are for the effective implementation, operation and continuous improvement of Terragon’s Information Security Management System (ISMS).

4.1 Exective Leadership Team

The Executive Leadership Team will drive IT and Information Security goals and ensure that these goals are aligned with business objectives.
 The Executive Leadership Team as the Governance body assumes the responsibility to:

  • Establish the ISMS policy, objectives and plans
  • Define Information Security (IS) strategy and direction, allocate roles and responsibilities and oversee the Information Security activities.
  • Communicate the importance of meeting the objectives and the need for continual improvement.
  • Maintain an awareness of business needs and major changes.
  • Determine and provide resources to plan, implement, monitor, review and improve information security and management e.g. recruit appropriate staff, manage staff turnover.

4.2 Heads of Department

Heads of Departments have overall accountability for:

  • Making their team members aware of this policy and ensuring that they comply with this policy.
  • Guiding and encouraging their team members to report information security incidents.
  • Setting a good example for their team members by following all applicable security practises
  • Ultimately, heads of departments are responsible for ensuring that adequate resources are applied to the ISMS program and that it is successful

4.3 Enterprise Security

  • Conduct periodic ISMS Audits as per the agreed schedule.
  • Remediate gaps identified in ISMS internal and external Audits.
  • Review the compliance posture of security controls on various IT systems, applications, operating systems and devices
  • Support the ISMS Manager in providing guidance on remediation planning, controls implementation and information security risk mitigation.

4.4 Terragon Employees and Third Parties

It is the responsibility of all employees to read and comply with Terragon’s Information Security Policies. While not all Information Security Policies contained herein are applicable to all Terragon’s business and employees’ functions, it is every end user’s responsibility to protect information assets. Non-compliance with these Information Security Policies will result in disciplinary action up to and including termination or legal action.
All users, contractors, and third parties are responsible to:

  • Notify the ISMS Manager of any security breach, violation, or suspicious activity
  • Comply with principles defined in this policy
  • Use information assets appropriately and responsibly
  • Treat system account information, passwords, access codes, and other sensitive access information as extremely confidential. All users are responsible for the activity that occurs with their unique identifier or logon credentials.
  • Secure all confidential media or USB sticks in your personal workspace when not present.
  • Not place unauthorised software or data files on Terragon’s systems. Authorised software must only be used in accordance with licensing agreements, and must not violate any copyright laws
  • Not use technical knowledge or programs to bypass security, monitoring, or filtering controls implemented by Terragon

    All Terragon employees are:
  • Responsible for identifying information assets and determining their appropriate information classification levels.
  • Accountable for the security (that is, the confidentiality, integrity and availability) of the information they own and control. Where the responsibility for implementing controls has been delegated, accountability must remain with the data owner.

4.5 People and Culture Team

The People and Culture team must

  • Support the business areas in incidents that involve the investigations of their staff; and
  • Assist Heads of Units / Departments in enforcing the disciplinary process for non-compliance with the policy directives.
  • Perform background checks on new employees to verify their personal data, references, character and competence. The background checks will comprise Former Employment Reference, Personal Reference and Criminal Background Information (Where there is doubt about such individual(s) criminal record). Otherwise the previous employer & personal reference information will suffice.
  • Conduct background check for sensitive positions like executive drivers and employees in the finance department will undergo criminal background checks (Manager level and above)

4.6 Internal Audit

The internal audit functions are to enhance Terragon’s information security management system, maintain its effectiveness, maturity, and resilience.

  • Plan and execute audits of the ISMS to assess the effectiveness of controls, policies, and procedures related to information security.
  • Evaluate information security risks and vulnerabilities within the ISMS framework, including identifying potential threats and assessing the likelihood and impact of security incidents.
  • Ensure that the ISMS complies with ISO 27001 standards, regulatory requirements, and internal policies related to information security.
  • Assess the adequacy and effectiveness of information security controls implemented within the ISMS, including technical, physical, and administrative controls.
  • Identify gaps or deficiencies in the ISMS implementation and recommend corrective actions to address areas of improvement.
  • Prepare audit reports detailing findings, observations, and recommendations for improvement related to information security controls and ISMS performance.
  • Monitor the implementation of corrective actions resulting from audit findings and conduct follow-up audits to verify the effectiveness of remedial measures.
  • Identify opportunities for enhancing the ISMS, improving information security processes, and promoting a culture of continuous improvement in information security practices.
Password Policy

5. Password Policy

Objective: To ensure that appropriate password management controls are defined and correctly implemented for all network and system infrastructure, application systems and information resources (hereafter referred to as Systems) used by Terragon.

5.1 User Passwords

The allocation of passwords must be controlled through a formal management process; which must contain the following requirements:

  • When users are required to maintain their own passwords they must be provided initially with a secure temporary password, which they are forced to change immediately.
  • Temporary passwords must be given to users in a secure manner
  • Temporary passwords must be unique to an individual and must not be guessable.
  • Passwords must never be stored on computer systems in an unprotected form.
  • Default vendor passwords must be altered following installation of systems or software.

5.2 Password Standard

Parameter Value
Minimum length
8
Characters Required
At least one UPPERCASE letter (A...Z) At least one lowercase letter (a...z) At least one symbol “{}[]\:;?><,./!@#$%^&*())” At least one number “0123456789”
Change Frequency
At least every 90 days
Account lockout
On 5 incorrect logon attempts (Lockout for 15 minutes)
Account lockout action
Account must be re-enabled by IT Service Desk
Session timeout
At most 20 minutes

5.3 Password Use

All users shall:

  • Keep passwords confidential;
  • Avoid keeping a record (e.g. paper or hand-held device) of passwords, unless this can be stored securely;
  • Change passwords whenever there is any indication of possible system or password compromise; select quality passwords with sufficient minimum length which are:
    • Easy to remember;
    • Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.;
    • Not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries)
    • Free of consecutive identical, all-numeric or all-alphabetic characters;
    • Change passwords at regular intervals or based on the number of accesses and avoid reusing or cycling old passwords;
    • Change temporary passwords at the first log-on;
    • Not include passwords in any automated log-on process, e.g. stored in a macro or function key;
    • Not share individual user passwords;
    • Not use the same password for business and non-business purposes.
Acceptable Use Policy

6. Acceptable Use Policy

Terragon’s systems are critical for the operations and the ability to service our customers. The manner in which these systems are used will determine how well we are able to conduct our business. Use of these systems must be in accordance with this and other organisational policies. All electronic processing facilities provided by Terragon, including e-mail, internet and intranet, are business enablers and tools for productivity enhancement.

Terragon Group reserves the right to limit access to any or all of its electronic computing facilities to those users who have a legitimate business need and, at its discretion, to terminate the access of any user of its electronic computing facilities without notice.

6.1 General Acceptable Use Principles

  • Terragon Group systems are to be used only for the purpose for which they are authorised and are not to be used for non-Terragon Group activities.
  • Users are responsible for protecting any information used and/or stored on/in their Terragon Group accounts.
  • Users are responsible for the availability, integrity and confidentiality of customer and employee data held on their computers and all forms of storage media under their control.
  • Users are requested to immediately report any weaknesses in Terragon Group’s computer security, any incidents of possible misuse or violation of this Policy to the proper authorities by contacting the ISMS Manager or raising an incident ticket.
  • The company shall at its discretion determine what websites and contents employees can access to ensure workforce productivity
  • Screen munch, screen grab, snapshots and any other similar action to capture company information on a mobile device with the intent of sharing via social media, personal emails and other personal mediums with self or an external party without approval is prohibited.

6.2 Internet Usage

  • Access to the Internet shall be made available only to employees, contractors, subcontractors, and business partners whose duties require access to conduct Terragon Group’s business within business hours.
  • End users are responsible for the secure use of Internet services including Internet access, web browsing, and electronic mail.
  • End users are expected to understand that information assets transmitted over the Internet are not private and that their actions represent Terragon Group Limited.
  • The Internet is to be used primarily for business purposes. Any personal use of the Internet must not interfere with normal business activities and Terragon Group’s ability to pursue its mission and meet the conditions outlined in the company’s policy.
  • Communications over the internet shall not involve solicitation, pornography, violence, racism, attempts to circumvent internet access controls, association with any for-profit external business activity, and anything with the potential of incurring legal liability to Terragon Group Limited.
  • Do not download and install software without approval of the CTO or ISMS Manager. This includes games, software from an unknown source, and programs intended to exploit Terragon Group’s IT systems, such as password crackers, network scanning tools, and packet sniffers.
  • Always represent Terragon Group’s best interest. Exercise judgement in all Internet communications and use.
  • Do not participate in non-business related online message boards or chat rooms. Messages sent using such Internet sites can be traced to (and may have a negative impact on the organisation) Terragon Group.
  • Internet access for contractors, vendors, consultants, business partners and other persons shall be approved only if their use is vital to the conduct of Terragon Group’s businesses.
  • Ensure that all confidential information from Terragon’s drive is for internal use only, any information to be shared externally must be done only with a signed NDA in place. The shared drive is provided to the employees for viewing and retrieving information.

6.3 Email Acceptable Use

  • Access to Terragon Group’s electronic mail (email) system is provided to employees and/or third parties whose duties require email to conduct Terragon Group’s business.
  • All messages composed and/or sent using company provided electronic messaging resources must comply with company policies regarding acceptable communication.
  • Upon termination or separation from Terragon Group, users shall be denied all access to electronic messaging resources, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
  • Each employee shall be assigned a unique email address that is to be used while conducting company business via email.
  • Where provided, employees authorised to use corporate instant messaging programs shall be assigned a unique instant messaging identifier.
  • Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending it.
  • Any employee who discovers a violation of these policies should immediately notify a manager or the ISMS Manager.
  • Only Terragon Group’s provided email services will be accessed from Terragon Group’s information resources. Employees are advised not to use their corporate email accounts to send/receive emails which they consider private as the emails may be monitored. Terragon Group would not be liable for the interception of confidential mails.

6.4 Email Prohibited Use

Prohibited activities when using Terragon Group’s email include, but are not limited to, sending or arranging to receive the following:

  • Information that violates Terragon Group’s policies, state or Federal laws.
  • Unsolicited commercial announcements or advertising material.
  • Any material that may defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray in false light, Terragon Group, the recipient, the sender, or any other person.
  • Pornographic, sexually explicit, or sexually oriented material and email messages containing such.
  • Racist, hate-based, or offensive material and email messages containing such.
  • Materials or messages with derogatory content, defamatory content, harassing content, and profanity.
  • Viruses or malicious code.
  • Chain letters; unauthorized mass mailings (SPAM), or any unauthorized request that asks the recipient to forward the message to other people.
  • Circulating, spreading or disseminating information to email groups which the user has not been designated or authorized to communicate to.
  • Messages or materials containing company trade secrets, confidential information, or privileged communications.
  • Unauthorized copying and distribution of copyrighted materials.
 Circulating, spreading, dissemination or publication of one’s political or religious views.
  • Email messages for the operation of a business or for any undertaking for personal gain.
  • Also, employees are prohibited from unauthorized copying and distribution of copyrighted materials.
  • Forwarding/sending of files and/or emails from work email account to personal email account without approval, and forwarding/sending to external parties for the purpose other than business reasons is prohibited.

6.5 Other Prohibited Activites

Generally prohibited activities when using Terragon Group’s information resources include, but are not limited to, the following:

  • Using unauthorized and unapproved applications or software that occupy or use workstation idle cycles or network processing time (e.g., processing in conjunction with screen savers).
  • Installing unlicensed, unauthorised software and applications.
  • Stealing electronic files or copying of electronic files not related to your normal business activities without management approval.
  • Violating copyright laws.
  • Browsing the private files or accounts of others, except as provided by appropriate authority.
  • Performing unofficial activities that may degrade the performance of information resources, such as playing online games.
    Performing activities intended to circumvent security or access controls of any organisation, including the possession or use of hardware or software tools intended to defeat software copy protection, discover passwords, identify security vulnerabilities, and decrypt encrypted files, or compromise information security by any other means.
  • Writing, copying, executing, or attempting to introduce any computer code e.g. virus designed to self-replicate, damage, or otherwise hinder the performance of, or access to any Terragon Group’s computer, network, or information asset.
  • Promoting or maintaining a personal or private business or using Terragon Group’s information resources for personal gain.
  • Using someone else’s logon ID and password.
  • Conducting fraudulent or illegal activities, including but not limited to: gambling, trafficking in drugs or weapons, participating in terrorist acts, or attempting unauthorized entry to any Terragon Group’s computer.
  • Conducting fundraising, lobbying, or participating in any partisan political activity except otherwise authorised.
  • Disclosing any Terragon Group’s information that is not otherwise public without authorized management approval.
  • Performing any act that may discredit, defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray Terragon Group’s staff, business partners, or customers in false light.
  • Prohibited activities when using the Internet include, but are not limited to, the following:
  • Browsing explicit pornographic or hate-based web sites, hacker or cracker sites, or other sites that Terragon Group has determined to be off limits.
  • Posting, sending, or acquiring sexually explicit or sexually oriented material, hate-based material, hacker-related material, or other material determined to be off limits by Terragon Group.
    Posting or sending classified Terragon Group’s information outside of Terragon Group’s network without management authorization.
  • Unauthorised hacking or other unauthorised use of services available on the Internet.
  • Posting unauthorized commercial announcements or advertising material.
  • Promoting or maintaining a personal or private business.
  • Users shall not download, install or run security programs or utilities, which reveal weaknesses in the security of our system. For example, users shall not run password-cracking programs on the computing systems.
  • Users shall not make unauthorised copies of copyrighted software, except as permitted by law or by the owner of the copyright.
  • Users shall not make copies of system configuration files for their unauthorised personal use or to provide to other people/users for unauthorised uses.
  • Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of systems; deprive an authorised user access to a system resource, obtain extra resources beyond those allocated, circumvent computer security measures or gain access to Terragon Group’s system for which proper authorization has not been given.
  • Users shall not perform activities intended to circumvent security or access controls of any organisation, including the possession or use of hardware or software tools intended to defeat software copy protection, discover passwords, and identify security vulnerabilities, decrypt, encrypted files, or compromise information security by any other means.
  • Users shall not write, copy, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of or access to any corporate computer network, or information.
  • Users shall not conduct fraudulent or illegal activities, including but not limited to:
    • Gambling, trafficking in drugs or weapons, participating in terrorist acts, or attempting unauthorized entry to any corporate or non-corporate computer.
  • Users shall not attempt to access any data or programs contained on the company’s systems for which they do not have authorization or explicit consent of the owner of the data/program.
Clear Desk and Clear Skin Policy

7. Clear Desk and Clear Skin policy

A Clear Desk and Clear Screen Policy will help ensure that all sensitive/confidential materials are removed from workspaces and locked away when the items are not in use or an employee leaves their workstation. The policy will help reduce the risk of security breaches within Terragon’s environment.


Objective: The purpose of this policy is to establish the minimum requirements for maintaining clean desks and clear screens and to ensure that, where there is any confidential, restricted or sensitive Information that it is locked away and is out of sight.

  • The clear desk and clear screen principles should be used in consideration of the information classification (please refer to Terragon Group Information Classification Policy), legal and contractual requirements and the corresponding risks and cultural aspects of the organisation.
  • Computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use
  • Computer screens should be angled away from the view of unauthorised persons.
  • The Windows and Mac Security Lock should be set to activate when there is no activity for a short predetermined period of time.
  • The Windows Security Lock should be password protected for reactivation.
  • Passwords must not be left on sticky notes posted on or under a computer, nor may they be left written down and left in an accessible location.
  • Users should log off or lock their machines (by pressing the Windows key + L for Windows machines and Control + Command + Q for MacOS machines) when they leave their screens.
  • Whiteboards containing restricted and/or sensitive information should be erased.
  • Portable computing devices such as unused laptops, cameras and tablets must be locked away in a safe
  • Mass storage devices such as Hard drives, CDROM, DVD or USB drives should be treated as being sensitive data and must be locked away in the safe or the server room.
  • Where practically possible, paper and computer media should be stored in suitable locked safes, cabinets or other forms of security furniture when not in use, especially outside working hours.
  • Where lockable safes, filing cabinets, drawers, cupboards etc. are not available, office doors must be locked if left unattended.
  • Employees are required to ensure that all confidential, restricted or sensitive information in hardcopy or electronic form is secured at the end of the day and when they are expected to be away from their desk for an extended period.
  • Any confidential, restricted or sensitive information must be removed from desks and locked in a drawer when a desk is left unoccupied at any time.
  • Confidential, restricted or sensitive information, when printed, should be cleared from printers immediately.
  • Where possible printers with a ‘locked job’ facility should be used.
  • It is good practice to lock office areas when they are not in use and it is safe to do so.
  • Any visit, appointment or message books should be stored in a locked area when not in use.
  • The reception area can be particularly vulnerable to visitors. This area should be kept as clear as possible at all times. No personally identifiable information should be kept on desks within reach or sight of visitors.
  • It is also worth noting that information left on desks is also more likely to be damaged or destroyed in a disaster such as fire, flood or explosion.
  • Keys used for access to confidential, restricted or sensitive information must not be left in or on an unattended desk. Keys for desk drawers, cabinets and other secure areas must be stored in the dedicated key safe.
  • Upon disposal, any document containing any personal data or confidential, restricted or sensitive information should be placed shredded. Confidential waste must not be left on desks, in filing trays or placed in regular waste bins.
Physical and Environmental Security

8. Physical and Environmental Security

Physical barriers (Access Controls) are installed within Terragon secure areas to prevent access without the correct level of authorisation. This is to prevent tailgating i.e. an unauthorised person following an authorised person through the barrier.

8.2 Physical Entry Controls

VISITORS
Unauthorized personnel, clients, vendors and visitors shall be required to have the required approval before they are allowed access to restricted areas.
The date and time of entry and departure of visitors into restricted areas shall be recorded, and all visitors shall be monitored; they shall only be granted access for specific authorized purposes, and shall be issued with instructions on the security requirements of the area and on emergency procedures.
Visitors are clearly distinguished by their badges from Employees and are forced to surrender their visitor identification badge, which expires on exit, to the security operatives. No personnel are allowed into the office without any form of identification clearly displayed.
Visitors must be provided supervised and controlled access to secure areas.

ACCESS CONTROLS
Access shall be controlled via smart cards, all access controlled doors shall be fitted with sensors to detect unauthorised or prolonged opening.
Tailgating into restricted areas is prohibited. Care shall therefore be taken by all authorised staff to prevent this. During deliveries, authorised staff shall supervise such work at all times.

ENTRY LOG
An audit trail of access to secure areas must be maintained either via manual completion of a signing in book or via electronic means.

VISIBLE IDENTIFICATION
While in Terragon or related secured areas, badges must be worn with the photos on them visible at all times.

8.3 Securing Offices, Rooms and Facilities

VACANT AREAS
Vacant areas within Terragon will be locked and regularly checked for signs of unauthorised entry or use.

ADDITIONAL SECURITY
Individual rooms within the secure area may also be protected by additional security, like the server room. Users of such have specific access to these rooms based on their role and access privilege. Security personnel and admin officer(s) shall conduct ad-hoc unannounced checks of working areas and security perimeter.

8.4 Protecting against External and Environmental Threats

Terragon has designed and applied controls against damage from force majeure such as lightning strikes, floods and other forms of natural or man-made disaster. Details contained in the Terragon Business Continuity Policy/Plan.

8.5 Cabling Security

  • In line with industry electrical/cabling standards precautions must be taken to mitigate the risk of unauthorised/malicious data interception and accidental/malicious damage to ICT installations.
  • Electric cabling is physically separated from data cabling to prevent interference and reduce the risk of injury and damage to equipment.
  • All power and telecommunications lines into information processing facilities are subject to adequate alternative protection.
Exceptions

9. Exceptions

  • Deviation from the minimum requirements of this policy must be submitted to the Executive Leadership Team and approved.
  • All exceptions to this policy must be formally recorded, tracked and reviewed by the formal exception management process and communicated to relevant stakeholders. Any exceptions must have a clear action plan and due date for the exception to be closed.

BREACH OF POLICIES

In the event of a breach of any of the policies outlined in this document, the offending party shall be subject to disciplinary action, up to and including termination of employment.

ISO 27001:2022 Control Mapping

10. ISO 27001:2022 Control Mapping

Section Reference Within Information Security Policy ISO Control Reference
1.3 Management Commitment and Compliance
5.1 Leadership and Commitment
3. Information Security Objectives
6.2 Information Security Objectives and Planning to Achieve them
4. Information Security Roles and Responsibilities
A.5.2 Information security roles and responsibilities
5. Password Policy
A.5.17 Authentication information A8.5 Secure Authentication
6. Acceptable Use Policy
A.5.10 Acceptable use of information and other associated assets
7. Clear Desk and Clear Screen Policy
A.7.7 Clear desk and clear screen
8. Physical and Environmental Security Policy
A.7.5 Protecting against physical and environmental threats